Slashdot Log In
$1M Reward Offered To Nab Data Breach Extortionist
Posted by
Soulskill
on Sat Nov 15, 2008 10:17 AM
from the i've-seen-this-it's-gary-sinise-send-me-a-check dept.
from the i've-seen-this-it's-gary-sinise-send-me-a-check dept.
alphadogg writes with this excerpt from NetworkWorld:
"Express Scripts, the pharmacy benefits management company which recently disclosed an extortionist is demanding money by threatening to expose millions of patient records the company holds, Wednesday said it has decided to offer $1 million to nab the perpetrator. 'We're going on the offense with this reward,' an Express Scripts spokesman said. The $1 million will be paid to anyone who provides information leading to the capture and conviction of the extortionist who sent a letter to Express Scripts in early October that contained personal information on 75 people, considered members, who use the company's pharmacy-benefits services. The extortionist claims to have information on millions more Express Scripts members and wants money to not reveal it."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
The same principle as not dealing with terrorists (Score:4, Insightful)
Terrorize the slimebag instead. Make him wonder which one of his buddies that he bragged to will turn him in.
Re:The same principle as not dealing with terroris (Score:3, Insightful)
And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.
If i was the guy, i bet i worked alone and would call their bluff and laugh at them.
Re: (Score:2)
And if he's too smart for that? Might just piss him off and he might release the names regardless of payment.
If i was the guy, i bet i worked alone and would call their bluff and laugh at them.
Doesn't matter. You'd eventually get caught.
Re: (Score:3, Insightful)
The smart ones don't.
Re:The same principle as not dealing with terroris (Score:5, Insightful)
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
Parent
Re: (Score:3, Funny)
You cant compare theft to drug use.
Smart people do commit crimes ( morals have nothing to do with intelligence ). The dumb ones get caught and serve time.
Well crap. I'd mod you insightful, but I already posted...
Opportunity (Score:5, Interesting)
All the extortionist need do now is move the data to someone else's machine then shop him in.
Re: (Score:2)
The situation here isn't a "we want the data back" it's "we want to stop the perp"....different situation.
Re: (Score:2)
You mis understand the GPs point, all the perp has to do is frame someone else for the crime and said perp gets to keep the 1 million while someone innocent gets charged with his crime.
Re: (Score:2)
For $1M, the perp may be encouraged to try some Ninja access. Dead-tree plant in your residence and an anonymous phone call... that's all it would take.
Re: (Score:2)
Of course not, they're all completely incompetent! They got their jobs by sending in a coupon off a cereal box!
Re: (Score:2)
For a company that couldn't protect their data, didn't know they had been hacked, and didn't have records to investigate after the fact, do you think they really know what they want?
As for who the perp is, I think there's more than one person. The extortionist, to be sure, should be caught and brought to justice, but so should the perps on the inside, who, through gross negligence or incompetency, let
Re:Opportunity (Score:5, Insightful)
I think there may be a small problem with that. Didn't the USA offer a reward similar to this for Osama Bin Laden?
The trouble with being a friend of this extortionist is that all your sins are likely to be discovered if you turn them in, even if you do get the money.
I'd like to see the reward work, but am not holding my breath for it.
Parent
Re: (Score:2)
all your sins are likely to be discovered if you turn them in
$1 million would make me care very little about my own sins or who knows about them.
Re:Opportunity (Score:4, Insightful)
I think that it is sad that people are such cowards that having their prescription histories made public would worry them.
It isn't about cowardice.
It's about not wanting your employer to maybe fire you because you have an AZT prescription or are on chemotherapy or are on medicine for ADD/ADHD and have a job working with million dollar custom surface-mount circuitry or are a neurosurgeon.
Parent
Re: (Score:3, Insightful)
The subsequent criminal investigation — capture and conviction are the conditions for the reward — is likely to reveal the truth anyway. Slipping somebody a gun, or bag of cocaine, or stolen (hey, at least, we aren't arguing about the applicability of the term here!) data does make the person a suspect, but not a convict — unless a policeman is doing it, for judges tend to trust those people...
Th
William Gibson! (Score:3, Funny)
Pharmacom called.
They're upset that the records on the Black Shakes might be released. Did Johnny Mnemonic loop it through Jones?
Re: (Score:2)
Such smugness.
This [wikipedia.org] is your official confirmation that you fit right in the the weekend wannabees. Buh-bye!
Re: (Score:2)
Re: (Score:2)
ha ha ha... FAIL.
Read more.
how would the extortionists collect the payment? (Score:4, Insightful)
isn't there a way to track the bank account that the payment is transferred to? how do those DDoS extortion rings collect the money that they demand from online businesses? i mean, if the criminals are asking that the money be wired to a specific account, couldn't the bank determine what bank that account belongs to (how else would they wire the money)? if the bank is located in a country that has an extradition treaty with the U.S. then they could just wire the money and catch the crooks when they try to access the account.
on a separate note, my father recently had some inexplicable PayPayl "instant transfers" show up on his checking account statement. however, he hasn't used PayPal or purchased anything from PayPal merchants in over 2-3 years. does anyone know if there is a common identify-theft or banking fraud technique involving the use of PayPal and checking accounts? or could this perhaps just be a computer error? i'm just wondering because if this is a sign of identity-theft then i need to have my dad cancel his checks and credit cards. and so far Washington Mutual has been very unhelpful regarding this situation.
Re: (Score:2)
Re: (Score:2)
well, there were two separate transactions made on two consecutive days--one for ~$90 and one for ~$30. so i don't think it could have been a surcharge. but thanks the tip anyway.
Re: (Score:2)
LSD,
The guy telling you that was wrong, anyway.
Paypal GIVES you a few cents, twice, to verify your account.
If you have two charges, chances are, something is amiss.
WaMu is still in business?
--Toll_Free
Re: (Score:2)
they're now part of JPMorgan Chase, so technically they're still in business, but they're under new management.
i was hoping the change in ownership would be a good thing, but so far my experience with their customer service regarding banking fraud has been rather underwhelming. there's no dedicated support line for identity-theft/banking fraud/mischarges, and it's practically impossible to get a hold of a human operator even on weekdays during their regular business hours.
i'm wondering if i should contact P
Re: (Score:2)
It's likely he didn't think that all the way through. You have to remember that criminals are often not all that savvy. He may have just assumed that the money would be paid and that'd be it. True, if the company didn't contact the FBI. However if it was paid out as a setup, pretty likely they'd find out who he is. Money is rather traceable, when necessary.
That's one reason why you almost never see kidnapping for ransom in the US. Used to happen, but you find out that the FBI has a 100% closure rate these d
Re: (Score:2)
Re:how would the extortionists collect the payment (Score:2)
Wire it to a bank in one of a number of countries where it is illegal to even ask who owns a bank account. There aren't as many places today, but there are still a few where accounts are all numbers. It's a numbered account and you have an id number, not a name. You call in, give the proper ID number and password and wire the money on to another bank, usually controlled by your friends in the >.
More customer data... (Score:5, Insightful)
I think some minimum security requirements are needed by law before people will start securing personal data like this. I think one thing preventing this is the wide deployments of Windows out there that could never meet strict security requirement. (That is just my bias talking) The web server www.express-scripts.com is reported by nmap as running freebsd, but it also shows a few ports in the 8000 range "closed" but otherwise detected. I have to wonder what that's about... nmap identifies one of them as an apple-iphoto service port of some kind. I am sure that can't be right.
IT has always been a wild-west environment where anyone can claim to be an expert. People set things up with no standards. It doesn't help that executives with no understanding of technologies or risks insist on things being done in spite of risks they are presented with. Even as there are problems all around with important data being lost, stolen, misplaced or exposed, people fail to look to the cause and prevention aspects of these problems. I cannot imagine this changing until people are threatened with massive fines or imprisonment. The fines that many businesses suffer in other areas are insufficient deterrent and become factored into business budget plans... the fines must be MASSIVE.
Re: (Score:2)
Re: (Score:2)
Before I open my mouth and say "hey, they are probably running windows!" I thought it best to do essentially the same thing NetCraft does. Port scanning is not an attempt at entry.
But to answer your question: no, I don't. I just use the legal resources I have available to me to get some facts before I make comments. Not only do I RTFA most of the time, I also do what fact-checking I can within a few seconds... don't you?
Re: (Score:2)
That sure depends on what country you are in.
Some years back a kid in Denmark got hit with attempted hacking because he was port scanning sites, the court found him guilty because he not only had NMAP but other tools that in conjunction could be used for hacking.
Re: (Score:3, Insightful)
Re: (Score:2)
You seem to be assuming something I never wrote. I specified any number of ways breeches happen including "lost and misplaced" things.
However, with that said, it is stupid for people to be able to walk around with data on laptops at all. If it is important, it is important that it stay locked up and accessed remotely and securely... and really, best if it isn't even remotely at all.
What business does anyone have with needing to have such important data as large contact/customer/personal-records databases
$2 Million if you just bring us their head(s) (Score:2)
and $3 Million if you also bring along the exploit code, so we know what got past.
Nice way to Change the Discussion (Score:5, Insightful)
Instead of having an article entitled "Millions of identities stolen" with text like "massive compromise" we have a revenge story.
That's why corporate officers get paid the big bucks. They screw you and you feel good about it.
Evil Pharmacy benefits mgmt companies (Score:5, Interesting)
Many 'pharmacy benefit management' companies profit by selling information about your drug purchases - and probable ailments - to the highest bidder. This is a gray area of the law. You are typically NOT able to opt-out of this selling of your information. HIPPA doesn't cover this, just like it doesn't cover off-shore companies who sell your data. It is a rapidly growing market.
Insurance companies like Humana even make a point of mentioning that they will disclose your health data to third parties who may not be subject to privacy regulations.
So I have to ask, who is more evil here?
Re: (Score:2)
Just to add to that, these very same companies often have exclusive distribution rights [nytimes.com] for specialty drugs that often cost thousands of dollars a month. "Pharmacy benefit managers" reap huge profits from these drugs, even though it runs against the company's supposed goal of saving money.
Interesting. This is highly illegal in Europe (Score:4, Informative)
Covered by personal data protection laws; you seriously need one of those in the US. (And yeah, I know the libertardian argument against it (that it would cost zillions to business (which is obviously wrong (but that would not stop a 'tardian, would it?))))
Additionally, as I understand it, this kind of things is also considered a major breach of pharmacist/patient privilege around here. Any pharmacist who would leak this info in the first place would quickly lose his license, on top of being criminally prosecuted. I don't even think the insurance companies get detailed info about what they're reimbursing as far as prescription meds are concerned.
Parent
Re: (Score:2)
> Covered by personal data protection laws; you seriously need one of those in the US.
Sure. Then we can have police cameras in the restrooms, too.
> Any pharmacist who would leak this info in the first place would quickly lose his license...
Yes, that is the case in the US.
Re:Interesting. This is highly illegal in Europe (Score:4, Informative)
I don't think so. This information has been collected and sold for decades. One of my relatives is a pharmacist. When business was slow, she would fill out a small form for each prescription that was dispensed that day. The data collection company paid a small fee for each completed form. This practice wasn't secret or considered a violation of professional ethics.
Parent
Ethical? (Score:2)
I would've applauded the company's stance immediately, had it not been for a nagging though: the data is not entirely theirs .
What's less ethical: paying off a blackmailer, or risking your customer's very sensitive data?
Then, again, there is no guarantee, the blackmail will ever stop anyway — even embarrassing photos can be copied before returning, digital files are practically guaranteed to remain in the scumbag's possession — so trying to apprehend the guy would still seem like the right t
I risk flame or troll on this one (Score:2)
what better to do with the $1M (Score:2)
better to put it in escrow for the coming lawsuits regarding careless handling of private information.
Tho I suppose if even a small percent of the "millions" exposed all take up legal action (or class action it?) as a result of the extortionist exposing their records, 1M won't get them off to a very good start. I wonder how much the courts would judge for damages regarding mishandling and loss of personal information like that, per-victim? Paying a $1M bounty on his head is probably a good deal for Expres
Re: (Score:2)
Ransom starring Mel Gibson. Came on this morning.
Re:Million dollar reward (Score:4, Informative)
I completely agree. I've known people who have worked for that company. Now anyone dealing with their customer service or prescription filling has to sign an NDA saying that even after leaving, they can't disclose any information. Apparently a lot of famous people like to pop prescription drugs (no surprise there).
Their security at night is lax. The women don't work and instead just find the nearest security guard and closet and have some fun. Either way, it wouldn't be too hard to get a lot of information and dip your hands into the extortion bracket.
Parent
Re: (Score:2)
Your second cousin's sister's best ex friend, no doubt.
Just what drug are you taking? Patient data privacy is covered by HIPPA, you don't need an NDA to nail people for things that are blatantly illegal.
Re:Million dollar reward (Score:5, Insightful)
RTFA, they have upped their security since the letter was sent to them. and since no one knows how exactly the records were stolen, i think you're just talking out of your ass claiming it as "complete stupidity on their part."
at least the company is smart enough to realize that there's no such thing as perfect security (which apparently is more than can be said about you). however, having found themselves in a situation in which their customer records have been stolen, they are taking all precautionary measures the minimize the damage.
they were honest about the breach and came out publicly about it rather than trying to suppress the information. they contacted the FBI, who have launched an ongoing criminal investigation. the company has also hired data security & computer forensics experts to launch their own independent investigation into the matter. additionally, they have contracted a risk-consulting firm to provide free identity restoration services to affected customers in order to mitigate potential damages. they seem to have done everything in their power to redress the situation. what else were they supposed to do? give in to the extortionists' demands and try to sweep this under the rug?
Parent
Re: (Score:3, Informative)
again, RTFA:
Re: (Score:2)
> They are in a situation that they could actually have to pay this. I'd rather them do
> this than pay the fee, as I would expect someone to dump the records onto the black
> market anyways after they got paid. Why would you expect honor from a thief?
No need to postulate honor. He may be planning on doing this again.
On the other hand, perhaps he has done it before and did as you suggest, with the result that you see. Besides, whether they pay the ransom or not the company must behave as if the ext